For other types of realms, you configure role mappings for users and groups in a YAML file and copy it to each node in the cluster. Tools like Puppet or Chef can help with this.
By default, role mappings are stored in
ES_HOME/config (zip/tar installations) or
/etc/elasticsearch (package installations).
To specify a different location, you configure the
role_mapping settings in
role_mapping settings enable you to use a different set of mappings for each realm type:
- The location of the role mappings for LDAP realms.
- The location of the role mappings for Active Directory realms.
- The location of the role mappings for PKI realms.
For Shield to read the mapping file, it must be stored in the Elasticsearch
Within the role mapping file, Shield roles are keys and groups and users are values. The mappings can have a many-to-many relationship. When you map roles to groups, the roles of a user in that group are the combination of the roles assigned to that group and the roles assigned to that user.
The available roles are defined in the roles file. To specify users and
groups in the role mappings, you use their Distinguished Names (DNs). A DN
is a string that uniquely identifies the user or group, for example
Shield only supports Active Directory security groups. You cannot map distribution groups to roles.
The name of a Shield role defined in the roles file.
The distinguished name of an LDAP group or an Active Directory security group.
The distinguished name of an LDAP or Active Directory user. [1.1.0] Added in 1.1.0.
monitoring: - "cn=Admin,ou=example,o=com" user: - "cn=John Doe,ou=example,o=com"